Details:

Summary The Norwegian DPA has imposed a fine of EUR 30,000 on Lillestrøm Municipality.

The municipality had accidentally published a document in which 10 out of 21 attachments contained personal data of students. The data included information on student names, date of birth, test results, assessments of student behavior and student challenges. This error was not detected by the responsible administrator and went through two more manual quality checks at the documentation center without the error being detected there as well.
It was only a journalist who later drew attention to the data breach.

During its investigation, the DPA found that the municipality had not taken sufficient technical and organizational measures to protect personal data.
Also, the fact that the incident was discovered not by the municipality, but by a third party, indicates inadequate routines in this area.
Link: link
Related articles:  Art. 5 GDPR, Art. 6 GDPR, Art. 32 (1) b) GDPR
Type: Insufficient technical and organisational measures to ensure information security
Fine: EUR 30,000
Sector Public Sector and Education

 

All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/

Tags: case law